With 15 years in the anti-fraud and AML space, I credit some successes to the ability to think like a criminal. So it is with this mindset that I’m writing this for FinCEN’s consideration in creating AML-specific regulatoryobligations for transaction facilitators and charity crowdfunding sites.

As it seems now there is no legislation proposed that would protect the U.S. financial system specifically, payment facilitators (facilitators) and charity-focused crowdfunding sites, from being used as a conduit for illicit activities. As of April 4th, 2016, FinCEN has proposed regulations to treat the equity based crowdfunding sites as broker/dealers.

However, charity-focused crowdfunding sites do not have any proposed regulations. Forbes stated in a 2015 article that crowdfunding was estimated to grow to over $34 billion in 2015. While charity-focused crowdfunding sites make up only a portion of the $34 billion from 2015, the risks are still present and should be considered as the crowdfunding industry is expected to expand to over $220 billion in the next ten years.

In June of 2015 GoFundMe’s total raised was $1.2 billion from May 2010 to August 2015, and in the past 365 days GoFundMe has raised over $2 billion. With this amount of explosive growth, it is important to detect and mitigate the risks present with these charity crowdfunding sites. A hint of things to come is highlighted in FinCEN’s SAR Stats October 2015 publication. Seventy-nine SARs were filed that highlighted the risks associated with crowdfunding sites. This FinCEN Report also provides narrative commonalities for these crowdfunding SARs, that included the following:

Personal bank accounts funded by cash deposits from unidentified individuals and checks from foreign businesses. The funds were then transferred to crowdfunding sites.

Wire transfer activity from the U.S.-based account of a foreign political party to a foreign country. This account was funded by personal checks drawn on foreign banks, online money transmitter transfers, out-of-state cash deposits, and deposits from crowdfunding sites.

Individuals received deposits from crowdfunding sites, followed by structured cash withdrawals from the accounts.

Customers received electronic deposits from multiple checking accounts, then immediately made payments to crowdfunding sites.

An account relationship (personal and business account) funded by a high volume of personal checks, money transmitter payments, and crowdfunding payments was sending a large volume of wires to a high risk country.

Charity-focused crowdfunding sites utilize third party payment facilitators (facilitators) to fund donations from contributors. These crowdfunding sites in turn use a financial institution/bank to facilitate deposits and withdrawals of funds collected from their various contributors.

Most transaction monitoring performed for the various sites like GoFundMe, Indiegogo, CrowdRise, Fundly, and YouCaring pertain to protecting contributors (payers) from being defrauded. And most of these sites pay their facilitators to monitor for this activity.

However, the actual risk I see relates to protecting the U.S. financial system from illicit activities related to money laundering. Transaction monitoring for money laundering is touched on with PCI standards with the Consumer Financial Protection Bureau (CFPB) being the regulatory enforcement for gateway processors (some facilitators) but none for (charity based) crowdfunding sites.

So how would the involved financial institutions that bank these crowdfunding sites be able to fully vet AND monitor the activities of the parties involved?

There are the individuals, or campaigners, who set up profiles to raise funds and also there are individuals who are contributing to the ‘causes’. These causes may seem legitimate but could be a front for money laundering, human trafficking, terrorist financing, or drug trafficking.

Most financial institutions are merely the recipients of dollars in and out for their customer – the crowdfunding site. The card numbers, names, websites, emails, etc. do not flow through to the banking relationship as this information rests with the crowdfunding platform and their facilitator. So this begs the question – How are these segregated businesses that all hold a different piece to the puzzle going to work together to make sure AML risks are properly identified and mitigated?

The chart below gives a high level overview of what the 4 parties – credit card networks, crowdfunding sites, financial institutions and payment facilitators – are currently doing and their limitations as it relates to the transaction process:

A criminal can take advantage of this system and go completely unnoticed by simply following a legitimate pattern. John Doe, as the Campaigner, would set up a profile on a crowdfunding site such as HelpMe, with a heartbreaking scenario and an apparent legitimate cause. John ‘Deceiver’ Doe is really a drug kingpin and is trying a new way of collecting money due from his various lower level dealers.

These individuals that owe John Doe money (paying for drugs) are given the instructions via email that they are to ‘donate’ to this good cause. HelpMe uses the transaction facilitator, PayThat, to process all of the funds coming from the contributors to John Doe. If Mr. Doe gave instructions to 50 contributors to ‘donate’ what they are owed, he can collect what is due without having a cash element that often raises red flags.

That’s a lot of money that would go undetected on the banking side of this scenario as the contributors are using their debit/credit cards issued by various banks across the U.S. The bank of deposit for John Doe would most likely see the large deposit from HelpMe, perform some research (confirm he has a charitable profile setup on the HelpMe site) and then the AML/fraud team would move on.

The card network and the financial institutions would see different parts of this scenario and would take appropriate action, if they were prompted to review. However, they don’t know what they don’t know. The charitable site, HelpMe, has outsourced their compliance or risk obligations to their facilitator, PayThat. PayThat, holds important data that is not available to the individual card networks or financial institutions.

To better explain the flow of funds and actions taken by various parties, see the infographic below.

HelpMe – crowdfunding site

John Doe – started a ‘charitable’ campaign on HelpMe

PayThat – facilitator for HelpMe

ABC Bank – HelpMe’s bank

XYZ Bank – John Doe’s bank

X – contributor’s to Doe’s campaign

Some would see this infographic and assume that any of these relationships, besides the facilitator would be able to (and required to) detect money laundering. However, the monitoring and detection performed by the card networks and the banks are limited to what they know. Which often times is a very small piece of the puzzle. The facilitators and the crowdfunding sites hold the bigger, more important, pieces to the puzzle.

If we extrapolate John Doe’s example across multiple sites or charitable causes on one site we see the ability of the facilitators and the crowdfunding sites to capture the data and trend it to find those contributors and campaigners that should raise red flags.

Please note that the red flags and suspicious activity we are trying to detect and mitigate are not solely fraud related. As it stands now, most facilitators offer fraud monitoring and mitigation to their customers (the crowdfunding sites).

Fraud monitoring efforts should not be blended with money laundering monitoring efforts. These two, much like in the banking world, should remain separate. The criminal mindset is different as is the facilitator’s internal incentives for performing these functions. Fraud mitigation efforts save dollars and can have tangible benefits, while money laundering monitoring is seen as merely an expense with no positive effect on the bottom line. This is especially true since there is not a monetary penalty for non-reporting of money laundering activities.

In an article from CNNMoney, a financial supporter of a popular facilitator stated that “PayPal does not move as fast as startups”. While this statement is most likely true, it is for good reason. PayPal, as a financial institution, knows the pain of AML compliance – the cost of these complicated regulations that for other payment facilitators are a bit murky.

The burden of compliance should not be completely on the banks for mainly two reasons – 1) the facilitators are not sending all the detailed payment information data to the banks; and 2) the crowdfunding sites are not sending all the detailed user information to the banks.

Companies like WePay, which provide processing services to some of the largest crowdfunding sites, do not have AML compliance obligations. They provide compliance for applicable regulations for their customers (PCI and OFAC), but as a standalone company, WePay does not have to comply with federal anti-money laundering statutes.

There are a few benefits in making facilitators and crowdfunding sites comply with certain federal AML regulations:

Gives the whole picture to banks that are responsible for performing due diligence and monitoring of facilitators;

Facilitates sharing under 314(b) regulations;

Opens up a data set on the user that is lost for banks;

Formalizes and enforces a standard for monitoring and reporting of suspicious activity.

In the AML world, cash was king; now data is king. With so many facilitators involved in various levels of the transaction process it would benefit FinCEN to outline the risks of all the parties involved in these types of transactions – charity-focused crowdfunding sites and facilitators (and their various roles in the payment process) – and consider at what level those parties could contribute to the overall mission of safeguarding the financial system from illicitly derived funds.